Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0487
Security Bulletin: Multiple vulnerabilities impact IBM Aspera Products
12 February 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Aspera High-Speed Transfer Server
IBM Aspera High-Speed Transfer Client
IBM Aspera Desktop Client
IBM Aspera High-Speed Transfer Endpoint
Publisher: IBM
Operating System: Linux variants
Windows
Mac OS
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Existing Account
Create Arbitrary Files -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-5443 CVE-2019-1559 CVE-2019-1552
CVE-2018-0734
Reference: ASB-2020.0025
ASB-2020.0017
ESB-2020.0314
ESB-2020.0267
Original Bulletin:
https://www.ibm.com/support/pages/node/1126581
https://www.ibm.com/support/pages/node/2027745
https://www.ibm.com/support/pages/node/2020677
https://www.ibm.com/support/pages/node/2016771
- --------------------------BEGIN INCLUDED TEXT--------------------
Curl vulnerabilities CVE-2019-5443 impact IBM Aspera High-Speed Transfer Server,
IBM Aspera High-Speed Transfer Client, IBM Aspera Desktop Client 3.9.1 and earlier
Security Bulletin
Summary
Curl vulnerabilities CVE-2019-5443 impact IBM Aspera High-Speed Transfer
Server, IBM Aspera High-Speed Transfer Client, IBM Aspera Desktop Client 3.9.1
and earlier. The fix is delivered in version 3.9.3.
Vulnerability Details
CVEID: CVE-2019-5443
DESCRIPTION: A non-privileged user or program can put code and a config file in
a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1
automatically run the code (as an openssl "engine") on invocation. If that curl
is invoked by a privileged user it can do anything it wants.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
162844 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
+---------------------------------------+-----------------+
|Affected Product(s) |Version(s) |
+---------------------------------------+-----------------+
|IBM Aspera High-Speed Transfer Server |3.9.1 and earlier|
+---------------------------------------+-----------------+
|IBM Aspera High-Speed Transfer Endpoint|3.9.1 and earlier|
+---------------------------------------+-----------------+
|IBM Aspera Desktop Client |3.9.1 and earlier|
+---------------------------------------+-----------------+
Remediation/Fixes
The fix is delivered in version 3.9.6 of
IBM Aspera High-Speed Transfer Server,
IBM Aspera High-Speed Transfer Client,
IBM Aspera Desktop Client
Workarounds and Mitigations
None
- --------------------------------------------------------------------------------
OpenSSL vulnerabilites (CVE-2019-1552) impacting IBM Aspera High-Speed Transfer
Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop 3.9.1 and earlier
Security Bulletin
Summary
OpenSSL vulnerabilites impacting IBM Aspera High-Speed Transfer Server, Aspera
High-Speed Transfer Endpoint, Aspera Desktop 3.9.1, Aspera Connect 3.7.4 and
earlier (CVE-2019-1552). The vulnerabilities are fixed in IBM Aspera High-Speed
Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop 3.9.6, and
Aspera Connect 3.9.8.
Vulnerability Details
CVEID: CVE-2019-1552
DESCRIPTION: OpenSSL could allow a local attacker to bypass security
restrictions, caused by the building of . mingw programs or Windows programs
with world writable path defaults. An attacker could exploit this vulnerability
to modify default configuration, insert CA certificates, modify (or even
replace) existing engine modules.
CVSS Base score: 2.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
164498 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
+---------------------------------------+-----------------+
|Affected Product(s) |Version(s) |
+---------------------------------------+-----------------+
|IBM Aspera Desktop Client |3.9.1 and earlier|
+---------------------------------------+-----------------+
|IBM Aspera High-Speed Transfer Server |3.9.1 and earlier|
+---------------------------------------+-----------------+
|IBM Aspera High-Speed Transfer Endpoint|3.9.1 and earlier|
+---------------------------------------+-----------------+
|IBM Aspera Connect |3.7.4 and earlier|
+---------------------------------------+-----------------+
+---------------------------------------+-----------------+
+---------------------------------------+-----------------+
+---------------------------------------+-----------------+
+---------------------------------------+-----------------+
+---------------------------------------+-----------------+
+---------------------------------------+-----------------+
Remediation/Fixes
+---------------------------------------+----------+
|Affected Product(s) |Version(s)|
+---------------------------------------+----------+
|IBM Aspera Desktop Client |3.9.6 |
+---------------------------------------+----------+
|IBM Aspera High-Speed Transfer Server |3.9.6 |
+---------------------------------------+----------+
|IBM Aspera High-Speed Transfer Endpoint|3.9.6 |
+---------------------------------------+----------+
|Connect |3.9.8 |
+---------------------------------------+----------+
+---------------------------------------+----------+
+---------------------------------------+----------+
+---------------------------------------+----------+
+---------------------------------------+----------+
+---------------------------------------+----------+
+---------------------------------------+----------+
Workarounds and Mitigations
None
- --------------------------------------------------------------------------------
OpenSSL vulnerabilites impacting Aspera High-Speed Transfer Server, Aspera
Desktop Client 3.9.1 and earlier (CVE-2018-0734)
Security Bulletin
Summary
The OpenSSL vulnerabilities CVE-2018-0734 impact Aspera High-Speed Transfer
Server 3.9.1 and earlier, Aspera Desktop Client 3.9.1 and earlier. The fix is
delivered in Aspera High-Speed Transfer Server 3.9.3, Aspera Desktop Client
3.9.3.
Vulnerability Details
CVEID: CVE-2018-0734
DESCRIPTION: The OpenSSL DSA signature algorithm has been shown to be
vulnerable to a timing side channel attack. An attacker could use variations in
the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a
(Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in
OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
152085 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
+---------------------------------------+-----------------+
|Affected Product(s) |Version(s) |
+---------------------------------------+-----------------+
|IBM Aspera High-Speed Transfer Server |3.9.1 and earlier|
+---------------------------------------+-----------------+
|IBM Aspera High-Speed Transfer Endpoint|3.9.1 and earlier|
+---------------------------------------+-----------------+
|IBM Aspera Desktop Client |3.9.1 and earlier|
+---------------------------------------+-----------------+
Remediation/Fixes
+---------------------------------------+-----------------+
|Affected Product(s) |Fix in Version(s)|
+---------------------------------------+-----------------+
|IBM Aspera High-Speed Transfer Server |3.9.6 |
+---------------------------------------+-----------------+
|IBM Aspera High-Speed Transfer Endpoint|3.9.6 |
+---------------------------------------+-----------------+
|IBM Desktop Client |3.9.6 |
+---------------------------------------+-----------------+
Workarounds and Mitigations
None
- --------------------------------------------------------------------------------
OpenSSL vulnerabilites impacting Aspera High-Speed Transfer Server, Aspera
Desktop Client 3.9.1 and earlier (CVE-2019-1559)
Security Bulletin
Summary
The OpenSSL vulnerabilities CVE-2019-1559 impact Aspera High-Speed Transfer
Server 3.9.1 and earlier, Aspera Desktop Client 3.9.1 and earlier. The fix is
delivered in Aspera High-Speed Transfer Server 3.9.3, Aspera Desktop Client
3.9.3.
Vulnerability Details
CVEID: CVE-2019-1559
DESCRIPTION: If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive one)
then OpenSSL can respond differently to the calling application if a 0 byte
record is received with invalid padding compared to if a 0 byte record is
received with an invalid MAC. If the application then behaves differently based
on that in a way that is detectable to the remote peer, then this amounts to a
padding oracle that could be used to decrypt data. In order for this to be
exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites
are optimised implementations of certain commonly used ciphersuites. Also the
application must call SSL_shutdown() twice even if a protocol error has
occurred (applications should not do this but some do anyway). Fixed in OpenSSL
1.0.2r (Affected 1.0.2-1.0.2q).
CVSS Base score: 5.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
157514 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)
Affected Products and Versions
+---------------------------------------+-----------------+
|Affected Product(s) |Version(s) |
+---------------------------------------+-----------------+
|IBM Aspera High-Speed Transfer Server |3.9.1 and earlier|
+---------------------------------------+-----------------+
|IBM Aspera High-Speed Transfer Endpoint|3.9.1 and earlier|
+---------------------------------------+-----------------+
|IBM Aspera Desktop Client |3.9.1 and earlier|
+---------------------------------------+-----------------+
Remediation/Fixes
+---------------------------------------+-----------------+
|Affected Product(s) |Fix in Version(s)|
+---------------------------------------+-----------------+
|IBM Aspera High-Speed Transfer Server |3.9.6 |
+---------------------------------------+-----------------+
|IBM Aspera High-Speed Transfer Endpoint|3.9.6 |
+---------------------------------------+-----------------+
|IBM Aspera Desktop Client |3.9.6 |
+---------------------------------------+-----------------+
Workarounds and Mitigations
None
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXkOKgmaOgq3Tt24GAQhqFg/+MkU4c9GRsf9h5YSjdg5bpMjoTT7b/egA
zUqHZhDz92nHfPAY2lhiFdmK/IhyNM4ssy6dGxPovksD7U3gW6tVnLv51zKcoLCB
pTcNmIBSkWxO+mnqcEJkoMm+7HuDuP5VKEc73uyMjR2zpahjzV7x1olH5DX98IE7
hhCmu4jDSUW28PYxOSHu1kx+a8wor3+2cpaCjMpJCk8O7Cs3iQoyUlsYnHhYHau5
y1PH9XRHuRp0/ZNDAO+3KRifdivZu+ar9nTSSoDSKWbqqywz/IWoDWiYzwcabW4/
OIMQVHEwZJl55NPmxlaMj+aY4MAmtQSlO4KsdVKOARkaXXgLAmN5uC1gaqBmThTq
q6HwSJMV5e6yKHX8+o1Q6LboFZpQn8+i681WAcg1z2NRFNyGCW3GAowcdKOl5aLs
MOLiDeqJ8NndsXa/qJLuny4CkLbGc95LKudDHaQdFuAC7ML7Zx/amn7+3fZu/OSH
g98gsZjiFfhlwDGLDcXu2QgClYvqnm7VU8chtLMmNr+Ql6N9ZY7uEUE/nAe9HMkj
ax7rlDSG7RrsSFENGo8lCRJjW1+LOfJRAX7Vi1fWwK0A9xMavYhLSUNrzqFayham
UNWmaSwduO221VwOrb8d4SkIEuhXugDW9ne3jtwsumLc7CO6NZ72mJNjitex2wXY
4AbHaEhZHAs=
=Ke8n
-----END PGP SIGNATURE-----